From cc5cfe437a5d73f18c1bb99bb9e21fd037c3b3f3 Mon Sep 17 00:00:00 2001 From: Jeroen Derks Date: Fri, 21 Oct 2022 18:46:39 +0200 Subject: [PATCH] added support for alpine without systemd --- .gitignore | 1 + openvpn-install.sh | 79 ++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 70 insertions(+), 10 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0d3a016 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.ovpn diff --git a/openvpn-install.sh b/openvpn-install.sh index 4235723..19e9bda 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -38,6 +38,15 @@ elif [[ -e /etc/fedora-release ]]; then os="fedora" os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1) group_name="nobody" +elif [[ -e /etc/alpine-release ]]; then + os="alpine" + os_version=$(cat /etc/alpine-release | cut -d '"' -f 2 | tr -d '.') + group_name="nobody" + if [[ ! -d /dev/net ]]; then + mkdir -p /dev/net && \ + mknod /dev/net/tun c 10 200 && \ + chmod 600 /dev/net/tun + fi else echo "This installer seems to be running on an unsupported distribution. Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora." @@ -99,8 +108,13 @@ new_client () { } if [[ ! -e /etc/openvpn/server/server.conf ]]; then - # Detect some Debian minimal setups where neither wget nor curl are installed - if ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then + # Detect some minimal setups where neither wget nor curl are installed + if [[ "$os" = "alpine" ]] && ( ! hash curl || ! hash iptables ) 2>/dev/null; then + echo "curl and iptables are required to use this installer." + read -n1 -r -p "Press any key to install curl and iptables and continue..." + apk update + apk add curl iptables + elif ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then echo "Wget is required to use this installer." read -n1 -r -p "Press any key to install Wget and continue..." apt-get update @@ -129,7 +143,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo echo "This server is behind NAT. What is the public IPv4 address or hostname?" # Get public IP and sanitize with grep - get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") + get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$( [[ "$os" != "alpine" ]] && hash wget > /dev/null 2>&1 && wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip # If the checkip service is unavailable and user didn't provide input, ask again until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do @@ -203,7 +217,9 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo echo "OpenVPN installation is ready to begin." # Install a firewall if firewalld or iptables are not already available - if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then + if [[ "$os" = "alpine" ]]; then + firewall="iptables" + elif ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then firewall="firewalld" # We don't want to silently enable firewalld, so we give a subtle warning @@ -216,7 +232,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then fi read -n1 -r -p "Press any key to continue..." # If running inside a container, disable LimitNPROC to prevent conflicts - if systemd-detect-virt -cq; then + if [[ "$os" != "alpine" ]] && systemd-detect-virt -cq; then mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null echo "[Service] LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf @@ -227,12 +243,17 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab elif [[ "$os" = "centos" ]]; then yum install -y epel-release yum install -y openvpn openssl ca-certificates tar $firewall + elif [[ "$os" = "alpine" ]]; then + apk update + apk add openvpn openssl $firewall else # Else, OS must be Fedora dnf install -y openvpn openssl ca-certificates tar $firewall fi # If firewalld was just installed, enable it - if [[ "$firewall" == "firewalld" ]]; then + if [[ "$os" = "alpine" ]]; then + rc-update add iptables default + elif [[ "$firewall" == "firewalld" ]]; then systemctl enable --now firewalld.service fi # Get easy-rsa @@ -343,7 +364,20 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Enable without waiting for a reboot or service restart echo 1 > /proc/sys/net/ipv6/conf/all/forwarding fi - if systemctl is-active --quiet firewalld.service; then + if [[ "$os" = "alpine" ]]; then + iptables_path=$(command -v iptables) + $iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip + $iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT + $iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT + $iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + if [[ -n "$ip6" ]]; then + ip6tables_path=$(command -v ip6tables) + $ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 + $ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT + $ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + fi + rc-update add openvpn default + elif systemctl is-active --quiet firewalld.service; then # Using both permanent and not permanent rules to avoid a firewalld # reload. # We don't use --add-service=openvpn because that would only work with @@ -427,7 +461,11 @@ cipher AES-256-CBC ignore-unknown-option block-outside-dns verb 3" > /etc/openvpn/server/client-common.txt # Enable and start the OpenVPN service - systemctl enable --now openvpn-server@server.service + if [[ "$os" = "alpine" ]]; then + rc-service openvpn start + else + systemctl enable --now openvpn-server@server.service + fi # Generates the custom client.ovpn new_client echo @@ -518,7 +556,20 @@ else if [[ "$remove" =~ ^[yY]$ ]]; then port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) - if systemctl is-active --quiet firewalld.service; then + if [[ "$os" = "alpine" ]]; then + # remove iptables rules + iptables_path=$(command -v iptables) + $iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip + $iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT + $iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT + $iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then + ip6tables_path=$(command -v ip6tables) + $ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 + $ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT + $ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + fi + elif systemctl is-active --quiet firewalld.service; then ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --remove-port="$port"/"$protocol" @@ -541,12 +592,20 @@ else if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then semanage port -d -t openvpn_port_t -p "$protocol" "$port" fi - systemctl disable --now openvpn-server@server.service + if [[ "$os" = "alpine" ]]; then + rc-service openvpn stop + rc-update del openvpn + else + systemctl disable --now openvpn-server@server.service + fi rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf rm -f /etc/sysctl.d/99-openvpn-forward.conf if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then rm -rf /etc/openvpn/server apt-get remove --purge -y openvpn + elif [[ "$os" = "alpine" ]]; then + rm -rf /etc/openvpn/server + apk del openvpn else # Else, OS must be CentOS or Fedora yum remove -y openvpn